Apparent BIND problem doing RBL lookups for Postfix

Barry Margolin barmar at alum.mit.edu
Sat Apr 17 02:48:32 UTC 2010 

In article <mailman.1185.1271408848.21153.bind-users at lists.isc.org>,
 "Nuno Paquete" <nunopaquete at lusocargo.pt> wrote:

> Greg,
> 
> Usually we use forwarders so we don't always have to bother root
> servers. 

You only bother the root servers when the TLD's NS records aren't in 
cache.  Since these NS records have 2-day TTLs, you don't have to go to 
the root servers very often.

> Because our ISP's deals with great amount of requests from all the
> clients, probably most of your new requests are already in their cache
> and it's much faster than query a root server, because it's on the same
> network.

This is certainly true for popular names like yahoo.com and google.com.  
But entries in the spamhaus RBL are not as likely to be cached, because 
most users don't look these things up.

> I mentioned the forwarders parameter because it's usual to use our ISP's
> dns servers as a forwarder and I thought you might had a misconfigured
> forwarder.
> Although you have forwarders configured, from the point of view of your
> dns clients your dns server still answers the requests the same way, and
> if you have a problem with your dns server, the problem still remains,
> so, you are not putting the problem away.
> 
> > Well, using forwarders might fix "general" bind errors, but it's
> > likely to run into problems for RBL lookups at spamhaus.org - since
> they have
> > limits (100K SMTP connects a day, and 300K lookups)
> > So using my ISP's name servers which have higher volume is likely to
> > run afoul of those limits because it's aggregating traffic. Even if
> > it doesn't right now, it could at any time when someone else does the
> > same and that increase in lookups pushes us over the edge.
> 
> I don't think so. All the requests to spamhaus.org will be made by your
> postfix box, not from your forwarders. 

But the postfix box queries his nameserver, which would then query the 
ISP's nameserver.  By the time the query reaches the spamhaus authority, 
it will be coming from the ISP's server, and thus subject to the rate 
limiter.

However, I doubt that spamhaus would set their rate limits low enough 
that the aggregated queries from an ISP would trigger it.  They've 
presumably looked at their actual hit rates, and 300K lookups/day 
probably allows plenty of breathing room.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list